Back to docs
Tools - NetworkUpdated: November 23, 2024

arp -a

View ARP cache showing IP to MAC address mappings.

arp -a

Command: arp -a

Category: Network

Type: CMD

Purpose

Displays the Address Resolution Protocol (ARP) cache, which maps IP addresses to physical MAC addresses on your local network. This table shows which devices Windows has recently communicated with and their hardware addresses.

Quick Summary

See the ARP cache showing all IP-to-MAC address mappings for devices on your local network. Essential for network troubleshooting, identifying devices, detecting ARP spoofing, and understanding local network communication. The ARP cache is automatically maintained by Windows for efficient network communication.

How to Use

  1. Open Command Prompt or PowerShell.
  2. Type arp -a and press Enter.
  3. View the ARP table showing IP addresses, MAC addresses, and types.

Common variations:

arp -a                    - Show all entries
arp -a 192.168.1.1       - Show ARP entry for specific IP
arp -d                    - Delete all entries (requires admin)
arp -d 192.168.1.100     - Delete specific entry (requires admin)
arp -s 192.168.1.1 00-11-22-33-44-55  - Add static entry (requires admin)

Tips and Best Practices

  • Use -a to view the complete ARP cache.
  • MAC addresses appear in format: 00-11-22-33-44-55
  • Check the "Type" column: dynamic entries are temporary, static entries are manually added.
  • Clear the ARP cache if experiencing network connectivity issues with specific devices.
  • Compare MAC addresses with device labels for physical device identification.
  • Monitor for duplicate IP addresses (same IP with different MACs).
  • Save output for documentation: arp -a > arp-cache.txt

Understanding the Output

Example output:

Interface: 192.168.1.100 --- 0x4
  Internet Address      Physical Address      Type
  192.168.1.1           00-11-22-33-44-55     dynamic
  192.168.1.50          aa-bb-cc-dd-ee-ff     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static

Columns explained:

  • Interface: Your computer's IP and adapter index
  • Internet Address: IP address of remote device
  • Physical Address: MAC address of remote device
  • Type: Dynamic (temporary, learned) or Static (manually configured)

Special MAC addresses:

  • ff-ff-ff-ff-ff-ff - Broadcast address
  • All zeros or incomplete - Entry is incomplete or being resolved
  • Multicast addresses start with 01-00-5e

Common Use Cases

  • Network troubleshooting: Verify devices are reachable at hardware level.
  • Device identification: Find MAC addresses of network devices.
  • Duplicate IP detection: Identify if multiple devices claim same IP.
  • ARP spoofing detection: Spot suspicious MAC address changes for known IPs.
  • Network documentation: Record MAC addresses for asset management.
  • Connection issues: Clear stale ARP entries causing connectivity problems.

Prerequisites

  • Windows Command Prompt or PowerShell
  • No administrator rights required to view ARP cache
  • Administrator rights required to modify cache (add/delete entries)
  • Available on all Windows versions

ARP Cache Management

View cache:

arp -a

Clear entire ARP cache (as Administrator):

arp -d *

Clear specific entry (as Administrator):

arp -d 192.168.1.50

Add static entry (as Administrator):

arp -s 192.168.1.100 00-11-22-33-44-55

Note: Dynamic entries automatically repopulate; static entries persist until manually removed or system reboot.

Troubleshooting

  • "No ARP Entries Found" - Normal if you haven't communicated with other devices recently. Try pinging a device first.
  • Entry not showing - Device may be offline or not responding; try pinging it: ping IP_ADDRESS
  • "Access denied" when deleting - Run Command Prompt as Administrator.
  • MAC shows as incomplete - ARP resolution failed; device may be offline or unreachable.
  • Multiple IPs with same MAC - Normal if device has multiple IPs, or could indicate network misconfiguration.
  • IP conflict warnings - Two devices with same MAC means same device; different MACs means IP address conflict.

Detecting ARP Spoofing

Warning signs:

  • MAC address for router/gateway suddenly changes
  • Multiple IPs show the same MAC address (when they shouldn't)
  • Known device's MAC address changes unexpectedly
  • Network traffic routing through unexpected device

Verification steps:

  1. Note your router's IP and MAC: arp -a
  2. Verify MAC against router label or admin interface
  3. Monitor for changes: run arp -a periodically
  4. Compare with previous records

ARP Cache Timeout

Dynamic ARP entries have time-to-live (TTL):

  • Unused entries: Removed after 2 minutes of no traffic
  • Used entries: Remain for 10 minutes with traffic
  • Complete vs incomplete: Incomplete entries timeout faster
  • Static entries: Never expire (until deleted or reboot)

Common MAC Address Prefixes

First 3 bytes identify manufacturer (OUI):

  • 00-50-56 - VMware virtual adapters
  • 08-00-27 - VirtualBox virtual adapters
  • Vendor can be looked up online at IEEE OUI database

PowerShell equivalent:

Get-NetNeighbor
Get-NetNeighbor -AddressFamily IPv4

Flush ARP and DNS together:

arp -d *
ipconfig /flushdns

View with continuous monitoring (batch script):

@echo off
:loop
cls
arp -a
timeout /t 5
goto loop

IPv6 Neighbor Discovery

For IPv6, use neighbor discovery instead:

netsh interface ipv6 show neighbors

Or PowerShell:

Get-NetNeighbor -AddressFamily IPv6

Scripting Example

Save ARP cache with timestamp:

arp -a > arp-cache-%date:/=-%_%time::=-%.txt

Compare current with saved:

arp -a > arp-current.txt
fc arp-saved.txt arp-current.txt
  • ping - Test connectivity (populates ARP cache)
  • ipconfig - Display network configuration
  • getmac - Display MAC address of your adapters
  • netstat -r - Display routing table
  • nmap - Advanced network scanning (third-party)
  • Wireshark - Packet capture showing ARP traffic (third-party)